Ping.exe Issues? @PhilliePhan or Anyone else

You failed to update MBA-M before the scan, that is a must since MBA-M releases updates multiple times daily the absolute rule is update before each and every scan, even multiple scans run the same day. An update may have been released while you were scanning. Your log shows Database version: 7622 and current Database version is 8325. You need to update it and do the full scan again.
If you cannot get online using wifi, try plugging the internet cable directly into the computer and see if you can go online.

DO NOT use System Restore, this will not remove an infection and possibly make it that much harder to remove because system restore could possibly remove visible traces of the infection, but not the infection itself.
Leave System Restore alone.

A screen shot of items removed by Avira and MBA-M are not what we need to see, what we need to see are the logs created by both programs at the time of removal. Both are readily available within each program. Please look for those logs and post them both.

I do have to stress, since MBA-M found something with an out of date database there very likely is much more there, that program must be updated and run again.

Hi CCG,

In addition to what Judy has posted above, there are a couple tools we need to run after the fresh MBAM scan.

If you have any trouble with the steps, just let us know and we'll talk you through it - no worries :)

When you run these tools, be sure ALL other windows are closed and you are not running any other tools or programs.

--- Please download aswMBR and run it as per the directions in the linky.
- Please save the scanlog as directed in the linky and just Copy & Paste it into your next reply. Do Not fix anything just yet.
- If it asks to download Avast!'s Anti-virus database, please go ahead and do that.

--- Then, please download OTL.exe to the Desktop.

Run OTL.

- Where it says Output, change it to Minimal Output.
- Change the Standard Registry Box to All.
- Check the boxes for the LOP Check and and the Purity Check.

Then, hit the Run Scan button.

--- TWO scanlogs should open (and also be saved on the Desktop with OTL.exe) --- > OTL.Txt and Extras.Txt.

Please Copy & Paste these into your reply for us and we will go from there.
There are likely two more tools we'll need to run, but let's just start with the above for now.

Cheers :)
PP

You failed to update MBA-M before the scan, that is a must since MBA-M releases updates multiple times daily the absolute rule is update before each and every scan, even multiple scans run the same day. An update may have been released while you were scanning. Your log shows Database version: 7622 and current Database version is 8325. You need to update it and do the full scan again.
If you cannot get online using wifi, try plugging the internet cable directly into the computer and see if you can go online.

DO NOT use System Restore, this will not remove an infection and possibly make it that much harder to remove because system restore could possibly remove visible traces of the infection, but not the infection itself.
Leave System Restore alone.

A screen shot of items removed by Avira and MBA-M are not what we need to see, what we need to see are the logs created by both programs at the time of removal. Both are readily available within each program. Please look for those logs and post them both.

I do have to stress, since MBA-M found something with an out of date database there very likely is much more there, that program must be updated and run again.

I would have sworn I accepted the updated MBA-M when it gave me an option. I will try that now. I will also post copies of the other logs as soon as possible.

As for plugging in the network cable directly, it has no effect. I get the pop up that tells me that the wireless connection has been de-activated because the cable is plugged in. Then it sits there with the same type of message; "connected, and looking for an address" It never connects.

I would have sworn I accepted the updated MBA-M when it gave me an option. I will try that now. I will also post copies of the other logs as soon as possible.

As for plugging in the network cable directly, it has no effect. I get the pop up that tells me that the wireless connection has been de-activated because the cable is plugged in. Then it sits there with the same type of message; "connected, and looking for an address" It never connects.

Ok, please bare with me on this. How do you update the MBA-M on a computer that doesn't connect to the internet? I tried to save the updated database from their website to my jump drive, but my sisters A/V program told me I needed to enter a pass word for it. (I'm accessing the forum from her laptop, and dont want to risk anything happening to hers).

You will have to get her password from her as it is her program asking for a password.

For now skip that part and do the other steps that PhilliePhan has given you.

Hey CCG,

These tools can be burned to a CD if that is easier for you. That way you can use the flash drive only to help post scanlogs.

I completely spaced on the connectivity issue, so it may save some time to download these tools in addition to the ones I mentioned before and put them on the disk as well:

combofix

tdsskiller

-- See if you are able to run the two scans from my previous post and we'll go from there. Judy may add some steps as I imagine she is more up to date on these baddies than I am these days.

PP:)

Hi CCG,

In addition to what Judy has posted above, there are a couple tools we need to run after the fresh MBAM scan.

If you have any trouble with the steps, just let us know and we'll talk you through it - no worries :)

When you run these tools, be sure ALL other windows are closed and you are not running any other tools or programs.

--- Please download aswMBR and run it as per the directions in the linky.
- Please save the scanlog as directed in the linky and just Copy & Paste it into your next reply. Do Not fix anything just yet.
- If it asks to download Avast!'s Anti-virus database, please go ahead and do that.

--- Then, please download OTL.exe to the Desktop.

Run OTL.

- Where it says Output, change it to Minimal Output.
- Change the Standard Registry Box to All.
- Check the boxes for the LOP Check and and the Purity Check.

Then, hit the Run Scan button.

--- TWO scanlogs should open (and also be saved on the Desktop with OTL.exe) --- > OTL.Txt and Extras.Txt.

Please Copy & Paste these into your reply for us and we will go from there.
There are likely two more tools we'll need to run, but let's just start with the above for now.

Cheers :)
PP

I just turned my computer on to run these scans and the avira antivirus popped up saying it found the TR/Rootkit.gen2 and blocked it. I dont know how it keep spreading but it is. This is the same thing that it supposedly blocked before, when all these problems started.

Here are the logs you requested earlier.

OTL
OTL logfile created on: 12/7/2011 11:33:48 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 184.82 Mb Available Physical Memory | 36.17% Memory free
1.22 Gb Paging File | 0.91 Gb Available in Paging File | 74.33% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 30.80 Gb Free Space | 27.55% Space Free | Partition Type: NTFS
Drive G: | 1863.01 Gb Total Space | 1780.45 Gb Free Space | 95.57% Space Free | Partition Type: NTFS

Computer Name: OWNER-0FE07171A | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe ()
PRC - C:\WINDOWS\system32\acs.exe (Atheros)
PRC - C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
PRC - C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe ()
PRC - C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll ()
MOD - C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\nwculoc.dll ()
MOD - C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\oemresloc.dll ()
MOD - C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe ()
MOD - C:\WINDOWS\system32\wgapiloc.dll ()
MOD - C:\WINDOWS\system32\wgapi.dll ()
MOD - C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
MOD - C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe ()

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (WMZuneComm) -- c:\Program Files\Zune\WMZuneComm.exe (Microsoft Corporation)
SRV - (ZuneWlanCfgSvc) -- c:\Program Files\Zune\ZuneWlanCfgSvc.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneBusEnum) -- c:\Program Files\Zune\ZuneBusEnum.exe (Microsoft Corporation)
SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)
SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)

========== Driver Services (SafeList) ==========

DRV - (NPF) WinPcap Packet Driver (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (Cdr4_xp) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Roxio)
DRV - (Cdralw2k) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Roxio)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (AR9271) -- C:\WINDOWS\system32\drivers\athuw.sys (Atheros Communications, Inc.)
DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)
DRV - (LVPr2Mon) -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys ()
DRV - (PID_PEPI) Logitech QuickCam IM(PID_PEPI) -- C:\WINDOWS\system32\drivers\LV302V32.SYS (Logitech Inc.)
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (P16X) Creative SB Live! Series (WDM) -- C:\WINDOWS\system32\drivers\P16X.sys (Creative Technology Ltd.)
DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (BCMModem) -- C:\WINDOWS\system32\drivers\BCMSM.sys (Broadcom Corporation)
DRV - (dvd_2K) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys (Roxio)
DRV - (mmc_2K) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys (Roxio)
DRV - (pwd_2k) -- C:\WINDOWS\System32\drivers\pwd_2K.sys (Roxio)
DRV - (cdudf_xp) -- C:\WINDOWS\System32\drivers\cdudf_xp.sys (Roxio)
DRV - (UdfReadr_xp) -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys (Roxio)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\Owner\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2011/07/06 10:42:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2011/09/01 11:27:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/10 13:44:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/05 17:32:50 | 000,000,000 | ---D | M]

[2011/04/19 23:19:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/11/10 13:45:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wvpwlq2l.default\extensions
[2011/11/10 13:45:11 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wvpwlq2l.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/06/24 00:56:06 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wvpwlq2l.default\extensions\searchtoolbar@zugo.com
[2011/09/01 11:27:53 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/10 13:44:00 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2011/09/01 11:27:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\WVPWLQ2L.DEFAULT\EXTENSIONS\{AE93811A-5C9A-4D34-8462-F7B864FC4696}.XPI
[2011/11/10 13:43:59 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/21 01:01:55 | 000,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2011/10/21 01:01:55 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/10/21 01:01:55 | 000,001,131 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2011/10/21 01:01:55 | 000,002,364 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2011/11/10 13:43:59 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2011/10/21 01:01:55 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2011/10/21 01:01:55 | 000,001,096 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2011/11/30 13:14:18 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
O4 - HKLM..\Run: [NWCU] C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe ()
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{058D4BD2-8779-4888-BA4A-BF309078DE48}: DhcpNameServer = 192.168.2.1 192.168.2.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) -C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) -C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") -C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - (crypt32.dll) - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - (cryptnet.dll) - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - (cscdll.dll) - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - (%SystemRoot%\System32\dimsntfy.dll) - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - (sclgntfy.dll) - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) -C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) -C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) -C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) -C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) -C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) -C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) -C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) -C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) -C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/04/18 17:56:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/07/09 20:07:18 | 000,000,000 | RH-D | M] - G:\autorun -- [ NTFS ]
O32 - AutoRun File - [2002/10/16 07:56:50 | 000,000,036 | RH-- | M] () - G:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/07 14:23:24 | 004,589,838 | ---- | C] (Curio Lab) -- C:\Documents and Settings\Owner\Desktop\ExterminateItSetup.exe
[2011/12/07 14:23:07 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Owner\Desktop\aswMBR.exe
[2011/12/07 14:22:57 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/12/03 20:55:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2011/12/03 17:44:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/03 15:02:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/11/30 13:37:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/11/30 13:13:05 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2011/11/30 13:13:05 | 000,100,880 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2011/11/30 13:13:05 | 000,050,704 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2011/11/30 02:40:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/11/30 02:39:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/11/09 00:08:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\AOL
[2011/11/09 00:04:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AOL
[2002/04/10 23:41:00 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll

========== Files - Modified Within 30 Days ==========

[2011/12/07 23:32:53 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/12/07 17:54:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/07 17:54:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/07 17:54:11 | 535,896,064 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/07 14:48:05 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003UA.job
[2011/12/07 14:43:22 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003UA.job
[2011/12/07 12:25:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/12/07 12:22:52 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Owner\Desktop\aswMBR.exe
[2011/12/05 17:37:47 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/05 17:37:47 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/05 13:43:02 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003Core.job
[2011/12/05 00:11:48 | 000,000,210 | -HS- | M] () -- C:\boot.ini
[2011/12/04 22:40:10 | 004,589,838 | ---- | M] (Curio Lab) -- C:\Documents and Settings\Owner\Desktop\ExterminateItSetup.exe
[2011/12/04 20:48:02 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003Core.job
[2011/12/03 14:45:10 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/30 13:14:18 | 000,000,761 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/11/30 13:13:05 | 000,281,104 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2011/11/30 13:13:05 | 000,100,880 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2011/11/30 13:13:05 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2011/11/30 02:44:01 | 000,018,184 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\w0fo67c3wb8igb
[2011/11/30 02:44:01 | 000,018,184 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\w0fo67c3wb8igb
[2011/11/09 00:08:43 | 000,000,466 | -H-- | M] () -- C:\IPH.PH

========== Files Created - No Company Name ==========

[2011/12/07 23:32:52 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/12/04 23:01:35 | 535,896,064 | -HS- | C] () -- C:\hiberfil.sys
[2011/11/30 02:25:57 | 000,018,184 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\w0fo67c3wb8igb
[2011/11/30 02:25:57 | 000,018,184 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\w0fo67c3wb8igb
[2011/11/09 00:00:52 | 000,000,466 | -H-- | C] () -- C:\IPH.PH
[2011/11/04 14:08:05 | 000,000,483 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2011/08/16 15:16:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2011/08/12 14:50:39 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2011/08/12 14:50:39 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2011/08/03 22:53:41 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/20 10:34:46 | 000,053,248 | ---- | C] () -- C:\WINDOWS\uneng.exe
[2011/04/20 10:28:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/04/19 23:19:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/04/19 23:18:55 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/19 23:10:15 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2011/04/19 23:10:00 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\wgapiloc.dll
[2011/04/19 23:09:59 | 000,422,000 | ---- | C] () -- C:\WINDOWS\System32\wgapi.dll
[2011/04/18 17:59:18 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/04/18 17:52:32 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/04/18 13:42:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/04/18 13:41:27 | 000,399,880 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/10/07 00:46:36 | 000,025,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/10/07 00:23:08 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/30 21:39:36 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2005/03/21 18:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 18:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/10/06 13:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/07/08 12:41:48 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll

========== LOP Check ==========

[2011/04/19 23:10:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iMicro
[2011/08/08 23:05:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Audacity
[2011/04/25 00:38:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GetRightToGo
[2011/07/14 20:41:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2011/12/04 20:48:02 | 000,000,976 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003Core.job
[2011/12/07 14:48:05 | 000,000,998 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003UA.job

========== Purity Check ==========

< End of report >

EXTRAS:
OTL Extras logfile created on: 12/7/2011 11:33:48 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 184.82 Mb Available Physical Memory | 36.17% Memory free
1.22 Gb Paging File | 0.91 Gb Available in Paging File | 74.33% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 30.80 Gb Free Space | 27.55% Space Free | Partition Type: NTFS
Drive G: | 1863.01 Gb Total Space | 1780.45 Gb Free Space | 95.57% Space Free | Partition Type: NTFS

Computer Name: OWNER-0FE07171A | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Red Storm Entertainment\Ghost Recon\GhostRecon.exe" = C:\Program Files\Red Storm Entertainment\Ghost Recon\GhostRecon.exe:*:Enabled:GhostRecon -- ()
"C:\Program Files\Logitech\Logitech Vid\Vid.exe" = C:\Program Files\Logitech\Logitech Vid\Vid.exe:*:Enabled:Logitech Vid -- (Logitech Inc.)
"G:\Games\RavenShield\system\ravenshield.exe" = G:\Games\RavenShield\system\ravenshield.exe:*:Enabled:ravenshield -- ()
"C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\SRB CUSTOMS\Switch\switch.exe" = C:\SRB CUSTOMS\Switch\switch.exe:*:Enabled:Switch -- (Tams11 Software)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM
"C:\Documents and Settings\Owner\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCalling.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCalling.exe:*:Enabled:Facebook Video Calling Plugin -- (Skype Limited)
"C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe" = C:\Program Files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe:*:Enabled:NT-USB150M Wireless N Client Utility -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002FB560-E9F9-45CD-B94B-9B264D038C74}" = Windows Tetris 1.01
"{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
"{1D7CE340-70C3-4848-BCCF-215950328A4C}" = Facebook Video Calling 1.0.0.8953
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216027FF}" = Java(TM) 6 Update 27
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{2C4E2E4E-A7C9-4CCB-BF03-FE6EBD5D4AB7}" = Windows Mobile Device Updater Component
"{31BB469B-4FC0-4E31-9FA4-A3BC3AD36CB0}" = NT-USB150M Wireless N Client Utility
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4FBCEA31-5D18-4212-9231-DE7CF1BE7DBB}" = Logitech Vid
"{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
"{5CF6EEE9-86B1-3DB6-A07C-8F6C079C39BA}" = Google Talk Plugin
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
"{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
"{7006ED29-58F2-40C3-AE87-039287AD20B6}" = Zune
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90B3B219-E807-4EC2-B986-A9CE9AB6E0E8}" = NT-USB150M Wireless N Client Utility
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A174402A-2EE6-4B86-A930-7BC85A9933BD}" = Tom Clancy's Splinter Cell
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{AF131494-F5D8-45C5-938C-D5F020CF1B0D}" = Tom Clancy's Rainbow Six 3: Raven Shield
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}" = Logitech Webcam Software
"{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
"{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D89EF3B3-6F17-4665-B7A9-A4235A6DC787}" = Ghost Recon
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.13 (Unicode)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"CleanUp!" = CleanUp!
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Display Driver" = NVIDIA Display Driver
"PROSet" = Intel(R) PRO Network Connections Drivers
"Switch_is1" = UpStage 1.0.2.0
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Zune" = Zune

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/14/2011 5:50:38 PM | Computer Name = OWNER-0FE07171A | Source = Application Hang | ID = 1001
Description = Fault bucket -1612583200.

Error - 11/18/2011 5:21:36 PM | Computer Name = OWNER-0FE07171A | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 8.0.0.4325, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/26/2011 10:38:51 PM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 11/27/2011 10:16:47 PM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 11/28/2011 1:19:46 PM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 11/28/2011 7:16:39 PM | Computer Name = OWNER-0FE07171A | Source = ZuneDriver | ID = 80837
Description =

Error - 11/28/2011 7:17:09 PM | Computer Name = OWNER-0FE07171A | Source = WPDMTPDriver | ID = 80836
Description =

Error - 11/29/2011 12:12:49 AM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 11/29/2011 1:39:49 PM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 11/29/2011 1:44:59 PM | Computer Name = OWNER-0FE07171A | Source = Avira AntiVir | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

[ System Events ]
Error - 12/7/2011 4:12:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 12/7/2011 4:12:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT

Error - 12/7/2011 4:16:20 AM | Computer Name = OWNER-0FE07171A | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/7/2011 4:34:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 12/7/2011 4:34:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT

Error - 12/7/2011 4:36:06 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 12/7/2011 3:11:05 PM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 12/7/2011 3:11:05 PM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT

Error - 12/7/2011 6:54:30 PM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 12/7/2011 6:54:30 PM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT

< End of report >

aswMBR Log:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-07 23:31:28
-----------------------------
23:31:28.453 OS Version: Windows 5.1.2600 Service Pack 3
23:31:28.453 Number of processors: 2 586 0x207
23:31:28.453 ComputerName: OWNER-0FE07171A UserName: Owner
23:31:29.015 Initialize success
23:31:33.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:31:33.078 Disk 0 Vendor: ST3120023A 3.33 Size: 114473MB BusType: 3
23:31:35.093 Disk 0 MBR read successfully
23:31:35.093 Disk 0 MBR scan
23:31:35.093 Disk 0 Windows XP default MBR code
23:31:35.093 Disk 0 scanning sectors +234420480
23:31:35.156 Disk 0 scanning C:\WINDOWS\system32\drivers
23:31:49.296 Service scanning
23:31:50.562 Modules scanning
23:31:59.109 Disk 0 trace - called modules:
23:31:59.125 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
23:31:59.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8238dab8]
23:31:59.125 3 CLASSPNP.SYS[f8576fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82394b00]
23:31:59.125 Scan finished successfully
23:32:52.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
23:32:53.000 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR log 12_6_2011.txt"

I thought I could find the logs folder from the avira antivirus and so far cant find it. I can view them thru the interface but I'm not sure how to put them into a notepad document or anything.

I just turned my computer on to run these scans and the avira antivirus popped up saying it found the TR/Rootkit.gen2 and blocked it. I dont know how it keep spreading but it is. This is the same thing that it supposedly blocked before, when all these problems started......

I thought I could find the logs folder from the avira antivirus and so far cant find it. I can view them thru the interface but I'm not sure how to put them into a notepad document or anything.

Hey CCG,

Did Avira remove or quarantine anything? You ought to be able to find that in the History via the gui.
Chances are that the last thing it removed was an infected driver that was needed to connect to the internet. If that is the case, we ought to be able to replace it and re-establish a connection.

-- Were you able to download Combofix and TDSSKiller?
Let us know. We are going to need them.

It's midnight EST and I've got to run - will look at the logs as soon as I can and get back to you. Judy may beat me to it.

Cheers :)
PP

EDIT:
Never mind that last bit about Avira - I just saw it in the logs:

Error - 12/7/2011 4:12:25 AM | Computer Name = OWNER-0FE07171A | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

When I post back, we can repair NetBT and try to get the machine back online and hopefully make the cleaning process a bit easier....

ComboFix is running right now. It said it found a RootKit Virus, and sat there for a bit, then asked me to restart the computer. It is now restarted and ComboFix is running again. I took a quick screen shot of the actual message to get the name of the virus. (If it helps?)

It also said that I didn't have an active System Restore program running, however I had just created a restore point, shortly after I turned it on. Maybe the virus had infected that along with the wireless adapter I use.

The ComboFix auto scan is now telling me that it has "Completed Stage 4"

will post up the results after I run the TDSSKiller

Here is the ComboFix Log:

ComboFix 11-12-08.01 - Owner 12/08/2011 22:26:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.219 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\$NtUninstallKB25972$
c:\windows\$NtUninstallKB25972$\2319490435
c:\windows\$NtUninstallKB25972$\3449333996\@
c:\windows\$NtUninstallKB25972$\3449333996\bckfg.tmp
c:\windows\$NtUninstallKB25972$\3449333996\cfg.ini
c:\windows\$NtUninstallKB25972$\3449333996\Desktop.ini
c:\windows\$NtUninstallKB25972$\3449333996\keywords
c:\windows\$NtUninstallKB25972$\3449333996\kwrd.dll
c:\windows\$NtUninstallKB25972$\3449333996\L\okybosud
c:\windows\$NtUninstallKB25972$\3449333996\lsflt7.ver
c:\windows\$NtUninstallKB25972$\3449333996\U\00000001.@
c:\windows\$NtUninstallKB25972$\3449333996\U\00000002.@
c:\windows\$NtUninstallKB25972$\3449333996\U\00000004.@
c:\windows\$NtUninstallKB25972$\3449333996\U\80000000.@
c:\windows\$NtUninstallKB25972$\3449333996\U\80000004.@
c:\windows\$NtUninstallKB25972$\3449333996\U\80000032.$
c:\windows\$NtUninstallKB25972$\3449333996\U\80000032.@
c:\windows\CSC\d6
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
G:\autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-09 to 2011-12-09 )))))))))))))))))))))))))))))))
.
.
2011-12-04 01:55 . 2011-12-04 01:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-12-03 22:45 . 2011-12-03 22:45 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-03 22:44 . 2011-12-07 08:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-03 20:02 . 2011-12-03 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-01 02:15 . 2011-12-05 03:44 -------- d-----w- c:\documents and settings\Administrator
2011-11-30 18:29 . 2011-12-04 21:57 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-11-30 18:13 . 2011-11-30 18:13 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-11-09 05:08 . 2011-11-09 05:08 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL
2011-11-09 05:04 . 2011-12-05 18:06 -------- d-----w- c:\program files\Common Files\AOL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-08 01:39 . 2011-08-11 00:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 18:43 . 2011-10-21 06:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
"NWCU"="c:\program files\Wireless\NT-USB150M Wireless N Client Utility\NWCU.exe" [2009-11-18 557152]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 20:44 679936 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2011-08-19 00:43 137536 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-07-15 02:06 136176 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 19:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-11-11 17:55 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"WMZuneComm"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"g:\\Games\\RavenShield\\system\\ravenshield.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\SRB CUSTOMS\\Switch\\switch.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Program Files\\Wireless\\NT-USB150M Wireless N Client Utility\\NWCU.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/19/2011 11:55 AM 136360]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [4/19/2011 10:55 PM 1668352]
S4 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 12:57 PM 268528]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-19 00:43]
.
2011-12-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-19 00:43]
.
2011-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-15 02:06]
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-725345543-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-15 02:06]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\wvpwlq2l.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-MozillaAgent - c:\windows\Temp\_ex-68.exe
AddRemove-{002FB560-E9F9-45CD-B94B-9B264D038C74} - c:\srb customs\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-08 22:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4336)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2011-12-08 22:46:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-09 03:46
.
Pre-Run: 32,934,670,336 bytes free
Post-Run: 32,969,920,512 bytes free
.
- - End Of File - - 23F91997C5D34B2B43F9089D7AD0A66E

Ok, It ran for 17 seconds, went thru 199 objects and found 0 threats.

ComboFix is running right now. It said it found a RootKit Virus, and sat there for a bit, then asked me to restart the computer. It is now restarted and ComboFix is running again. I took a quick screen shot of the actual message to get the name of the virus. (If it helps?)

--- Yeah screenshot would be cool - what rootkit did it identify?

-- I imagine you are still offline? Let's try this:
Click START > CONTROL PANEL > PERFORMANCE & MAINTAINANCE > ADMINISTRATIVE TOOLS > SERVICES
- RightClick DHCP Client and select STOP
- Navigate to C:\Windows\System32\Drivers and DELETE NetBT.sys (if it remains).
- Then go to C:\Windows\servicepackfiles\i386 and locate NetBT.sys.
Copy and Paste NetBT.sys from servicepackfiles\i386 into the C:\Windows\System32\Drivers Folder.
- Then, go back to Services and RightClick DHCP Client and select START

Reboot the computer for good measure and see if the connection is restored. If so, Update MBAM and run a full scan.

Let us know how you fare and we'll work from there.

Cheers :)
PP

It also said that I didn't have an active System Restore program running,

It isn't System Restore, it is the Recovery Console. Don't worry about it.
Plus, you are going to have to clean out System Restore once this is clean anyway.

--- Yeah screenshot would be cool - what rootkit did it identify?
PP

"Rootkit.ZeroAccess inserted itself into the tcp/ip stack"

ok I am at the DHCP Client and it is already stopped. If I click on 'Start' it tells me that it can not be started. Error 1075: The dependency service does not exist or has been marked for deletion.

Hopefully this means we're getting somewhere. Should I continue the steps you recommended and see what happens?

Ok, I walked thru the steps PP gave me, still no change.

Ok, I walked thru the steps PP gave me, still no change.

So, you were able to copy and paste the driver with no problem?

-- OK, let's try this. You'll need to open a command prompt:
START > RUN > Type cmd ENTER

Then, type or copy & paste the following and hit Enter:
netsh int ip reset c:\resetlog.txt

Note:
It is netsh<space>int<space> ip<space> reset<space> c:\resetlog.txt
Make sure to type it accurately or you'll get an error.

REBOOT the ill computer and see if that does the trick.

I will try to check back tomorrow PM EST.

Cheers :)
PP

OK, I just tried the above steps and it seems to have completely deactivated the wireless adapter. the gui is opening however everything is grayed out (un selectable).

I am wondering if re-installing the wireless software would resolve this?

I looked thru the files that Avira had quarrentined, and the rest all looked like they were restore points, compaired to the netbt.sys that you were focusing on.. Let me know and I can make a list of everything that Avira has set aside. I doubt I'll be on much this weekend, I have a few jobs lined up and helping the GF move too. Should be back Sunday night for sure..

I am wondering if re-installing the wireless software would resolve this?

Yeah - give that a try. Uninstall it and then reinstall it. Also check to make sure the DHCP Client is started - we may have to revisit that.

Resetting TCP/IP should correct the damage you noted from the malware.

-- Avira logs should be available to print or copy and paste.
I imagine you've got a number of infected restore points and, as Judy mentioned, we'll need to flush those after we complete the cleaning procedures.

I'll be around over the weekend - hopefully weather will be good and I can have another crack at those Camaro T-Tops....:)

PP

Yeah - give that a try. Uninstall it and then reinstall it. Also check to make sure the DHCP Client is started - we may have to revisit that.

Resetting TCP/IP should correct the damage you noted from the malware.

-- Avira logs should be available to print or copy and paste.
I imagine you've got a number of infected restore points and, as Judy mentioned, we'll need to flush those after we complete the cleaning procedures.

I'll be around over the weekend - hopefully weather will be good and I can have another crack at those Camaro T-Tops....:)

PP

So my two jobs I had lined up cancelled on me. I figure I'd jump back on here and keep cracking on this.

I uninstalled and reinstalled the wireless program. It is still doing the same thing, saying I'm connected and have full strenght connection, however it never gives me an address.

I went back and tried to start the DHCP, and got the same message as before. If I click on 'Start' it tells me that it can not be started. Error 1075: The dependency service does not exist or has been marked for deletion.
If I double click on it it brings up a new window showing 4 tabs: General, Log On, Recovery, and Dependencies. Under the General tab it states that
The file it is pointed to is c:\WINDOWS\system32\svchost.exe<SPACE>-k<SPACE>netsvcs

I uninstalled and reinstalled the wireless program. It is still doing the same thing, saying I'm connected and have full strenght connection, however it never gives me an address.

All right - let's throw the kitchen sink at it and see what happens:

Open a command prompt again and enter each of the following commands one by one:
sc start dhcp
sc start netbt
sc start ipsec
sc start tcpip
sc start afd
netsh int ip reset C:\resetlog.txt
netsh winsock reset
ipconfig /flushdns
ipconfig /all

REBOOT for good measure and see if that helps.

If not, please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for me. That should show us what we are missing.

PP:)

All right - let's throw the kitchen sink at it and see what happens:

Open a command prompt again and enter each of the following commands one by one:
sc start dhcp
sc start netbt
sc start ipsec
sc start tcpip
sc start afd
netsh int ip reset C:\resetlog.txt
netsh winsock reset
ipconfig /flushdns
ipconfig /all

REBOOT for good measure and see if that helps.

If not, please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for me. That should show us what we are missing.

PP:)

Here are the results from the above steps:

sc start dhcp
[sc] StartService FAILED 1075:
The dependency service does not exist or has been marked for deletion.

sc start netbt
[sc] StartService: OpenService FAILED 1060:
THe specified service does not exist as an installed service.

sc start ipsec
[sc] startservice FAILED 1056:
An instance of the service is already running.

sc start tcpip
[sc] StartService FAILED 1056:
An instance of the service is already running.

sc start afd
[sc] startservice FAILED 1056:
An instance of the service is already running.

netsh int ip reset c:\resetlog.txt
after pressing enter it jumped back to c:\

netsh winsock reset
Successfully reset the Winsock Catalog. You Must restart the machine in order to complete the rest.

ipconfig /flushdns
Windows IP Configuration
Successfully flished the DNS Resolver Cache.

ipconfig /all
(see Screenshot)

Ok, after I re-booted, it looks like my wireless adapter's software is not running. It has not popped up in the task bar, and when I opened the program manually everything is grayed out (unselectable).

I am going to run the FABAR Scanner now and see what happens.

Hey PP, your comment about the kitchen sink made me LOL. I spent all day Saturday, helping my gf and her sister move! That was about the only thing I actually didnt have to touch all weekend. It was a longggg moving day to say the least.

Any progress on those t-tops?

FSS.txt

Farbar Service Scanner
Ran by Owner (administrator) on 11-12-2011 at 22:31:53
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of NetBt. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of NetBt. The value does not exist.

File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

Hey CCG,

Too cold for the T-tops. Was going to try a little silicone sealant, but will probably have to wait until spring. No worries, I suppose - after all, it is a 17 year old car.

-- As for the ill computer, let's try an oldie but goodie from Option^Explicit ---> Winsock XP Fix

Run that and hit fix - that ought to automatically repair the registry damage so we don't have to do it manually. If we have to do it manually then it becomes dicey.

Let me know how that shakes out.

PP:)

Hey CCG,

Too cold for the T-tops. Was going to try a little silicone sealant, but will probably have to wait until spring. No worries, I suppose - after all, it is a 17 year old car.

-- As for the ill computer, let's try an oldie but goodie from Option^Explicit ---> Winsock XP Fix

Run that and hit fix - that ought to automatically repair the registry damage so we don't have to do it manually. If we have to do it manually then it becomes dicey.

Let me know how that shakes out.

PP:)

I keep forgetting that up north, winter is starting to set in.

I just ran the Winsock XP Fix and am rebooting it now. Keeping my fingers crossed, and prayers being said.

I have rebooted, and logged in. The wireless connection is still listes as Disabled under the Network Connections. I can not select "Enable". I tried to click on the "Repair" option, and it sits there doing its diagnostics only to tell me that a connection can not be established to the network.

I have connected a wire to see if it was the wireless connection, and it is still searching for an address as well.

Ok - let's try to repair the registry damage done by the malware. I thought winsock fix might do it for us, but I guess not.

Anyhoo - first I suggest backing up the registry with a tool such as ERUNT
It is simple and quick and good to have as a "fallback" in the event we need it.

Then, please download the attached FixNetBT.txt
You need to actually download the text file to the desktop.
-- RENAME it to FixNetBT.reg

On the ill machine, DoubleClick FixNetBT.reg and allow it to merge into the registry.
REBOOT and see if that fixes the connection.

--- If not, run Farbar Service Scanner again and post those results.

PP:)

Ok - let's try to repair the registry damage done by the malware. I thought winsock fix might do it for us, but I guess not.

Anyhoo - first I suggest backing up the registry with a tool such as ERUNT
It is simple and quick and good to have as a "fallback" in the event we need it.

Then, please download the attached FixNetBT.txt
You need to actually download the text file to the desktop.
-- RENAME it to FixNetBT.reg

On the ill machine, DoubleClick FixNetBT.reg and allow it to merge into the registry.
REBOOT and see if that fixes the connection.

--- If not, run Farbar Service Scanner again and post those results.

PP:)

OK, I downloaded the file to my thumbnail, and then dropped it on my ill desktop. I must be missing something though. I right clicked and changed the name to .reg or do I need to do something else? It's still opening as a notepad file.